[Zope-Perl] Perl Method Security

[Gisle Aas]

Michel Pelletier <michel@digicool.com> writes:

> More questions to round up the book.  We want to skim (lightly) on
> through the web perl method security.  Are there any things we should
> inform the reader?

Probably.

> For example, is eval allowed?

eval $expr is certainly disallowed.  eval { } ought to be allowed, but
it seem to be trapped too.  Currently we are running with the same
opmask that you get by default with the perl Safe/Opcode module.  The
Zope system administrator should probably be allowed to influence what
opcodes to disallow somehow.

> Are there resource constraints?

No.  There are currently no limits on the CPU time that can be used or
the amount of memory that can be allocated by a running PerlMethod.  I
don't know any good way to impose such limits either.  Could we use OS
facilities to kill a run-off thread?

> Can attributes be assigned to objects?

No.  Attributes can be read and methods can be called if the
authenticated user has permission.  Attribute assigment has not been
implemented.  Should it be?

> I realize some of these issues may not be worked out, we can step aside
> those land-mines and point the reader to a URl for the most recent
> documentation.

No detailed documentation exists at this point.

> Speaking of URLs, what would you like the cannonical URL for Perl
> Methods to be?  something on Zope org?  Activestate?  Nothing pressing,
> there are still a couple months yet before things are set in stone.

Didn't we already have something under
http://www.zope.org/Wikis/zope-perl?  Currently I don't seem to be
able to access that server.

Regards,
Gisle